[c-nsp] Blocking a Mac address at a router interface
Joseph M. Lalley
jml2 at cornell.edu
Thu May 5 08:20:47 EDT 2005
Greetings
I tried implementing the post "On Thu, Sep 23, 2004 at 10:54:04AM -0500,
Seils, Zach".
Any idea why this would not work on a Cisco 3620. I can ping the ip address
of the BVI1 interface. I can ping no other devices on the interface when I
try to use this configuration. If I dismantle the configuration and put the
ip address back on e0/3 and remove the bridge group, I can reach the other
devices. Of course, the bad guy gets through also.
Thanks
Joe
----------------------------------------------------------------------------
-------------------------------------------------------------
bridge irb
interface Ethernet0/3
description the Ethernet interface on my router that has the bad guy
bridge-group 1
bridge-group 1 input-address-list 707
bridge-group 1 spanning-disabled
!
interface BVI1
description ** IP interface tied to Ethernet0/3 **
ip address aaa.aaa.aaa.aaa 255.255.255.0 where aaa.aaa.aaa.aaa is
a routable address
access-list 707 deny xxxx.xxxx.xxxx 0000.0000.0000 where xxxx.xxxx.xxxx
is the mac address of the bad guy
access-list 707 permit 0000.0000.0000 ffff.ffff.ffff
More information about the cisco-nsp
mailing list